HIGHSupply Chain
Verified
Global

Cl0p Mass Exploits Cleo File Transfer Zero-Day — 600+ Organizations Hit

·Source: Huntress / Cleo Advisory

Updated:

Executive Summary

Cl0p launches fourth major file transfer campaign exploiting Cleo Harmony, VLTrader, and LexiCom zero-day. Systematic data exfiltration ongoing.

Analysis

CVE-2026-27891 is a deserialization flaw in Cleo products allowing unauthenticated RCE. Huntress detected exploitation March 18. Over 600 organizations compromised. This is Cl0p fourth file transfer campaign after Accellion, GoAnywhere, and MOVEit.

Timeline

Discovered
Mar 18, 2026
Exploitation Detected
Mar 18, 2026
Published
Mar 22, 2026
Patch Available
Mar 21, 2026

Indicators of Compromise (1)

CVE (1)
CVE-2026-27891
NVDMITRE CVE
Source Attribution

Originally published by Huntress / Cleo Advisory on Mar 22, 2026. Verified by: Huntress, CISA, Cleo.

Related Threats

LOWSupply Chain

GitHub Actions Supply Chain Attack Redirects Tags to Steal CI/CD Credentials

In yet another software supply chain attack, threat actors have compromised the popular GitHub Actions workflow, actions-cool/issues-helper, to run malicious code that harvests sensitive credentials and exfiltrates them to an attacker-controlled server. "Every existing tag in the repository has been moved to point to an imposter commit that does not appear in the action's normal commit history,

The Hacker News
LOWSupply Chain

Popular GitHub Action Tags Redirected to Imposter Commit to Steal CI/CD Credentials

In yet another software supply chain attack, threat actors have compromised the popular GitHub Actions workflow, actions-cool/issues-helper, to run malicious code that harvests sensitive credentials and exfiltrates them to an attacker-controlled server. "Every existing tag in the repository has been moved to point to an imposter commit that does not appear in the action's normal commit history,

The Hacker News
MEDIUMSupply Chain

Mini Shai-Hulud Pushes Malicious AntV npm Packages via Compromised Maintainer Account

Cybersecurity researchers have discovered a fresh software supply chain attack campaign that has compromised various npm packages associated with the @antv ecosystem as part of the ongoing Mini Shai-Hulud attack wave. "The attack affects packages tied to the npm maintainer account atool, including echarts-for-react, a widely used React wrapper for Apache ECharts with roughly 1.1 million weekly

The Hacker News